Merge pull request #4188 from MicrosoftDocs/main

pushing updates live

Author: denisebmsft

defender-endpoint/advanced-features.md

@@ -11,7 +11,7 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier2
-ms.topic: conceptual
+ms.topic: how-to
 ms.subservice: onboard
 search.appverid: met150
 ms.date: 02/25/2025

defender-endpoint/aggregated-reporting.md

@@ -10,7 +10,7 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier3
-ms.topic: conceptual
+ms.topic: article
 search.appverid: met150
 ms.date: 03/04/2025
 appliesto:

defender-endpoint/android-configure-mam.md

@@ -12,7 +12,7 @@ ms.collection:
 - m365-security
 - tier3
 - mde-android
-ms.topic: conceptual
+ms.topic: how-to
 ms.subservice: android
 ms.date: 08/26/2024
 ---

defender-endpoint/android-support-signin.md

@@ -11,7 +11,7 @@ ms.collection:
 - m365-security
 - tier3
 - mde-android
-ms.topic: conceptual
+ms.topic: troubleshooting-general
 ms.subservice: android
 search.appverid: met150
 ms.date: 03/21/2025

defender-endpoint/api/api-power-bi.md

@@ -12,7 +12,7 @@ ms.collection:
 - m365-security
 - tier3
 - must-keep
-ms.topic: conceptual
+ms.topic: how-to
 ms.subservice: reference
 ms.custom: api
 search.appverid: met150

defender-endpoint/assign-portal-access.md

@@ -12,7 +12,7 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier2
-ms.topic: conceptual
+ms.topic: how-to
 ms.date: 01/28/2025
 ---
 

defender-endpoint/attack-surface-reduction-rules-deployment-implement.md

@@ -28,7 +28,7 @@ search.appverid: met150
 - [Microsoft Defender for Endpoint Plan 1](microsoft-defender-endpoint.md)
 - [Microsoft Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)
 
-Implementing attack surface reduction rules move the first test ring into an enabled, functional state.
+When you're implementing attack surface reduction rules, move the first test ring into an enabled, functional state.
 
 > :::image type="content" source="media/asr-rules-implementation-steps.png" alt-text="The procedure to implement attack surface reduction rules" lightbox="media/asr-rules-implementation-steps.png":::
   
@@ -44,7 +44,7 @@ Implementing attack surface reduction rules move the first test ring into an ena
 4. Switch problematic rules back to Audit.
 
    > [!NOTE]
-   > For problematic rules (rules creating too much noise), it's better to create exclusions than to turn off rules or switching back to Audit. You'll have to determine what is best for your environment.
+   > For problematic rules (rules creating too much noise), it's better to create exclusions than to turn off rules or switching back to Audit. You have to determine what is best for your environment.
 
 > [!TIP]
 > When available, take advantage of the Warn mode setting in rules to limit disruptions. Enabling attack surface reduction rules in Warn mode enables you to capture triggered events and view their potential disruptions, without actually blocking end-user access. Learn more: [Warn mode for users](attack-surface-reduction.md#warn-mode-for-users).
@@ -57,15 +57,15 @@ Warn mode is effectively a Block instruction, but with the option for the user t
 
 When you're confident that you've correctly configured the attack surface reduction rules for ring 1, you can widen the scope of your deployment to the next ring (ring n + 1).
 
-In the follwing deployment process, steps 1 – 3 are essentially the same for each subsequent ring:
+In the following deployment process, steps 1 – 3 are essentially the same for each subsequent ring:
 
 1. Test rules in Audit mode.
 
 2. Review attack surface reduction-triggered audit events in the Microsoft Defender portal.
 
 3. Create exclusions.
 
-4. Review: refine, add, or remove exclusions as necessary.
+4. Review, and then refine, add, or remove exclusions as necessary.
 
 5. Set rules to "block" mode.
 
@@ -77,7 +77,7 @@ In the follwing deployment process, steps 1 – 3 are essentially the same for e
 
 #### Customize attack surface reduction rules
 
-As you continue to expand your attack surface reduction rules deployment, you might find it necessary or beneficial to customize the attack surface reduction rules that you've enabled.
+As you continue to expand your attack surface reduction rules deployment, you might find it necessary or beneficial to customize the attack surface reduction rules that are enabled.
 
 ##### Exclude files and folders
 

defender-endpoint/attack-surface-reduction-rules-reference.md

@@ -15,7 +15,7 @@ ms.collection:
 - m365-security
 - tier2
 - mde-asr
-ms.date: 04/30/2025
+ms.date: 06/10/2025
 search.appverid: met150
 ---
 
@@ -651,6 +651,9 @@ GUID: `a8f5898e-1dc8-49a9-9878-85004b8a61e6`
 
 Dependencies: Microsoft Defender Antivirus
 
+> [!NOTE]
+> When managing ASR rules using Microsoft Defender for Endpoint security settings management, the setting for **Block Webshell creation for Servers** must be configured as `Not Configured` in Group Policy or other local settings. If this rule is set to any other value (such as `Enabled` or `Disabled`), it could cause conflicts and prevent the policy from applying correctly through security settings management.
+
 ### Block Win32 API calls from Office macros
 
 This rule prevents VBA macros from calling Win32 APIs. Office VBA enables Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.

defender-endpoint/basic-permissions.md

@@ -14,7 +14,7 @@ audience: ITPro
 ms.collection: 
 - m365-security
 - tier2
-ms.topic: conceptual
+ms.topic: how-to
 search.appverid: met150
 ms.date: 06/25/2024
 ---

defender-endpoint/behavior-monitor-macos.md

@@ -6,7 +6,7 @@ ms.author: ewalsh
 manager: deniseb
 ms.service: defender-endpoint
 ms.topic: overview
-ms.date: 05/15/2025
+ms.date: 06/06/2025
 ms.subservice: ngp
 audience: ITPro
 ms.collection:
@@ -61,7 +61,7 @@ The following sections describe each of these methods in detail.
 
 ### Intune deployment
 
-1. Copy the following XML to create a _.plist_ file and save it as **BehaviorMonitoring_for_MDE_on_macOS.mobileconfig**
+1. Copy the following XML to create a _.plist_ file and save it as `BehaviorMonitoring_for_MDE_on_macOS.mobileconfig`.
 
    ```xml
    <?xml version="1.0" encoding="UTF-8"?>
@@ -131,15 +131,15 @@ The following sections describe each of these methods in detail.
 
 5. Go to the plist file you saved earlier and save it as `com.microsoft.wdav.xml`.
 
-6. Enter `com.microsoft.wdav` as the **custom configuration profile name**.
+6. Specify `com.microsoft.wdav` as the **custom configuration profile name**.
 
 7. Open the configuration profile and upload the `com.microsoft.wdav.xml` file and select **OK**.
 
 8. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices or to a Device Group or User Group.**
 
 #### JamF deployment
 
-1. Copy the following XML to create a _.plist_ file and save it as **Save as BehaviorMonitoring_for_MDE_on_macOS.plist**
+1. Copy the following XML to create a _.plist_ file and save it as `Save as BehaviorMonitoring_for_MDE_on_macOS.plist`:
 
    ```xml
    <?xml version="1.0" encoding="UTF-8"?>
@@ -161,8 +161,11 @@ The following sections describe each of these methods in detail.
    ```
 
 2. In **Computers** > **Configuration Profiles**, select **Options** > **Applications & Custom Settings**,
+
 3. Select **Upload File** (_.plist_ file).
-4. Set preference domain to *com.microsoft.wdav*
+
+4. Set preference domain to `com.microsoft.wdav`.
+
 5. Upload the plist file saved earlier.
 
 For more information, see: [Set preferences for Microsoft Defender for Endpoint on macOS](/defender-endpoint/mac-preferences).
@@ -183,6 +186,16 @@ sudo mdatp config behavior-monitoring --value disabled
 
 For more information, see: [Resources for Microsoft Defender for Endpoint on macOS](/defender-endpoint/mac-resources).
 
+### Verifying behavior monitoring is enabled
+
+To verify behavior monitoring is enabled, open Terminal, copy and run the following command:
+
+```bash
+mdatp health --details features
+```
+
+When behavior monitoring is enabled, the result displays the value of `behavior_monitoring` as enabled.
+
 ### To test behavior monitoring (prevention/block) detection
 
 See [Behavior Monitoring demonstration](demonstration-behavior-monitoring.md).
@@ -192,9 +205,7 @@ See [Behavior Monitoring demonstration](demonstration-behavior-monitoring.md).
 The existing Microsoft Defender for Endpoint on macOS command line interface can be used to review behavior monitoring details and artifacts.
 
 ```bash
-
 sudo mdatp threat list
-
 ```
 
 ### Frequently asked questions (FAQ)
@@ -224,7 +235,7 @@ sudo mdatp exclusion process add --path <path to process with lots of events>
 ```
 
 > [!IMPORTANT]
-> Please verify the reliability of the processes being excluded. Excluding these processes will prevent all events from being sent to behavior monitoring and from undergoing content scanning. However, EDR will continue to receive events from these processes. It is important to note that this mitigation is unlikely to reduce CPU usage of the `wdavdaemon` or `wdavdaemon_enterprise` processes, but may affect `wdavdaemon_unprivileged`. If the other two processes are also experiencing high CPU usage, behavior monitoring may not be the sole cause, and contacting Microsoft support is recommended.
+> Verify the reliability of the processes being excluded. Excluding these processes will prevent all events from being sent to behavior monitoring and from undergoing content scanning. However, EDR will continue to receive events from these processes. It is important to note that this mitigation is unlikely to reduce CPU usage of the `wdavdaemon` or `wdavdaemon_enterprise` processes, but may affect `wdavdaemon_unprivileged`. If the other two processes are also experiencing high CPU usage, behavior monitoring may not be the sole cause, and contacting Microsoft support is recommended.
 
 Once done, disable behavior monitoring statistics:
 
@@ -269,29 +280,21 @@ NRI should have a low impact on network performance. Instead of holding the conn
 2. Enable behavior monitoring if it's not already enabled:
 
    ```Bash
-
-   sudo mdatp config behavior-monitoring --value enabled
-   
+   sudo mdatp config behavior-monitoring --value enabled   
    ```
 
 3. Enable network protection in block mode:
 
    ```Bash
-
    sudo mdatp config network-protection enforcement-level --value block
-   
    ```
 
 1. Enable network real-time inspection (NRI):
 
-      ```Bash
-   
+   ```Bash
    sudo mdatp network-protection remote-settings-override set --value "{\"enableNriMpengineMetadata\" : true}"
-   
-   
    ```
 
    > [!NOTE]
    > While this feature is in preview, and because the setting is set by using command line, network real-time inspection (NRI) doesn't persist following reboots. You must re-enable it.
    
-